Anger mounts after Facebook's 'shadow profiles' leak in bug

Anger mounts after Facebook's 'shadow profiles' leak in bug

Summary: Facebook said Friday it fixed a bug that exposed contact info for over six million accounts. The admission revealed its 'shadow profile' data collection activities, and users are furious. UPDATED.


Friday Facebook announced the fix of a bug it said inadvertently exposed the private information of over six million users when Facebook's previously unknown shadow profiles accidentally merged with user accounts in data history record requests. 

According to Reuters, the data leak spanned a year beginning in 2012.

Sunday, June 23, 8:15 PM PST: Updated at page bottom to reflect response statements from Facebook.

facebook shadow profiles

The personal information leaked by the bug is information that had not been given to Facebook by the users - it is data Facebook has been compiling on its users behind closed doors, without their consent.

A growing number of Facebook users are furious and demand to know who saw private information they had expressly not given to Facebook.

Facebook was accidentally combining user's shadow profiles with their Facebook profiles and spitting the merged information out in one big clump to people they 'had some connection to' who downloaded an archive of their account with Facebook's Download Your Information (DYI) tool.

According to the admissions in its blog, posted late Friday afternoon, Facebook appears to be obtaining users' offsite email address and phone numbers and attempting to match them to other accounts. It appears that the covertly collected information is then being stored in each Facebook user's invisible 'shadow profile' that is somehow attached to accounts.

Users were clearly unaware that offsite data about them was being collected, matched to them, and stored by Facebook.

Looking at comments on Facebook's blog and community websites such as Hacker News, Facebook users are extremely angry that the phone numbers and email addresses that are not-for-sharing have been gathered and saved (and now accidentally shared) by Facebook.

Facebook stated in its post yesterday that the bug was resolved, but Facebook users are telling a different story today in the comments.

One man commented this afternoon, "I just downloaded the "extended backup" and I'm still viewing emails and phone numbers that are NOT PUBLIC!!!!"

Facebook explained in its post that the bug shared information about a user that had been scraped from a source other than the personal data the user had ever entered into Facebook about themselves.

The action of the bug is that if a user downloaded their own Facebook history, that user would also download email addresses and phone numbers of their friends that other people had in their address books, without their friends ever knowing Facebook had gathered and stored that information.

This data is being gathered by Facebook about individuals through their friends' information about them - harvested when a user grants Facebook address book or contact list access.

Facebook did not specify which app or contact database tool was utilized when collecting and matching offsite-sourced data about users.

The social network said that it was harvesting and matching the offsite-sourced data to user profiles - creating these shadow profiles - "to better create friend suggestions" for the user.

Facebook users are deftly reading between the lines. One commenter on Hacker News observed wisely,

The blog says the fix was made in the DYI tool. That means they would continue to maintain "shadow profiles", but would stop letting others know that FB has a shadow profile on you.

Facebook's post downplays the significance of the data breach by telling users that while six million accounts were exposed, very few people saw the personal phone and email data because it could only be seen when a user downloaded their Facebook history.

The social giant assured users their shadow profiles were shared only with Facebook users they were somehow connected to,

if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection.

Facebook did not specify in its post what is meant by "somehow connected to" and comment speculation is attempting to fill in the gaps.

According to Reuters, who spoke with a Facebook representative, the data was being exposed in this manner for about a year.

What the revelation means is that Facebook has much more information on us than we know, it may not be accurate, and despite everyone's best efforts to keep Facebook from knowing our phone numbers or work email address, the social network is getting our not-for-sharing numbers and email addresses anyway by stealing them (albeit through 'legitimate' means) from our friends.

The yearlong gap of exposure as described by Reuters creates a scenario of horrifying possibilities for any woman who has begin to experience harassment, abuse or stalking by an ex within the past year. Or, anyone being maliciously stalked and harassed by a tech-savvy aggressor (or a stalker's Facebook sock puppet) they may have accidentally friended over the past year.

This could be remedied and harm would be greatly reduced if Facebook addressed and answered the growing demands of its users to know who has seen their non-Facebook private data.

What it means for me is that even though I've been very careful not to give my phone number to Facebook or the men in my "friends," the guys I've 'friended' might have gotten my phone number anyway, regardless of my consent. I did not know they may have been able to get my phone number throughout the course of a year, and now I have no way of finding out who might have gotten my phone number.

I am glad I've never used a Facebook app or allowed Facebook access to my contacts in any way whatsoever. (Yay paranoia.) The private numbers and emails of my friends and colleagues should remain exactly that: private.

Facebook has officially stated that it does not know of any malicious use derived from the bug.

This appears to be the first time Facebook has publicly admitted that users' shadow profiles contain more than native data (such as posts or information you deleted but are retained by Facebook) and also contain data that Facebook has harvested.

Meanwhile, anger continues to rise on the Facebook post, and as of this writing there are no representatives from Facebook in the comments to quell the storm.

UPDATE Sunday, June 23, 8:15 PM PST: In an email today from Facebook Policy Communications, ZDNet learned that concern about collection, storage and shadow profiling of contact data is the sole fault of users who failed to read (or remember) the Facebook policies they agreed to when they were getting started on Facebook. 

Facebook said that users should already know about the contact collection practices because they are told about it on this page. It states that their address book contacts will be saved to Facebook servers and stored, then used in cross-matching contact data to other users.

(However, I'd be remiss not to point out that this page does not tell users they are agreeing to have this type of data collection done about them, as well.)

Facebook did not directly answer my request for a statement in response to user anger regarding data being collected about them and attached to their accounts without their consent (the shadow profiles).

In answer to this question, Facebook again directs users to re-read the "Finding Friends" section of Help Center > Get Started on Facebook.

Facebook's emails did help to clarify some aspects of its users' shadow profiles - users' combined data.

Facebook's representative told me that the data is not obtained through an app or database tool. Data about you is obtained by the seemingly innocuous voluntary actions on Facebook of people you know.

In Facebook's explanation, it is obtaining data on individuals in a form of third party collection through voluntary user submission. It is reasonable to conclude that the data is only involuntarily collected and saved for the people the data is matched to - in this case, the six million accounts that were affected.

Facebook said that it would take "precise and coincidental timing" for a malicious person to use the DIY tool with intent and obtain Facebook's combined (shadow profile) data on a targeted user. Yet we know the bug was live for a year, and combined with Facebook's admission in the blog post regarding false positives, it's a fair guess on our side to suspect that a non-trivial risk remained.

Facebook did not respond to my request for a statement regarding user demands to know who had seen their shadow profile contact information.

UPDATE Tuesday June 25 5:40 PM PST: added links to new ZDNet investigative article about security team findings on Facebook's shadow profiles.

Topics: Security, Data Management, Privacy

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Facebook Shadow Profile Data

    I have assumed for years that anything I post anywhere online is likely to be seen by anyone. Internet privacy is a myth. At least now my opinions about politics, foreign policy, domestic policy and the general decline of America's standard of living and reputation are known by the government. I'm retired and not running for political office so I don't worry. I'm seventy years old now, so I hope I will be gone before everything falls apart, but things are happening so rapidly that I don't know if I will get out in time.
    Anything posted on the internet stays there for ever and ever and ever!
    • It's not what you put online

      I think you may be missing the biggest implication of this. It's that if you, offline, in the real world, give me your phone number, which you have never put online at all, and I then use the tool Facebook provides to match my contacts with my "Facebook friends", that tool will, without my knowledge, take your phone number and attach it to your profile for any of your "Facebook friends" to download.

      Things are being added to the internet without us realising.
      • This breach of privacy is truly scary!

        This breach of privacy is truly scary! Even Germany's Gestapo could find out this much information about people, and the Soviet's KGB would be proud of all of this.

        Liberal and Fascist governments believe only THEY should have secrets from citizens. Citizens should have no secrets.
        Noble Furr
        • Gestapo??

          Have you not read the news about your own government?
          And do you really think that if the next president is a Republican that he will within 24 hours of assuming office delete all records such as you discuss...or will he let the bureaucracy continue to what it has done for decades?
          I think the latter my friend.
        • Not to worry!

          Obama says not to listen to those voices that talk about tyranny.

          I'm certain he was channeling that other popular Democrat President, FDR- just before he sent Japanese Americans to Manzanar.
    • This is nothing compared to the shadow profile google has on you and

      actively sells to advertisers. googles invasion of your privacy is much more to be concerned about.
      Johnny Vegas
      • reply to Johnny Vegas

        Selling to advertisers doesn't bother me. Its the price of free services and I don't have to buy their stuff. If you don;t want people to sell data to advertisors then be ready to pay for email, docs, search, social media etc...

        What bothers me is who else get access to that data for data mining and profiling. That data mining operation can be used to creat very accurate profiles of individuals. Those profiles can now be used against you by any faction who doesn't like your "politics" not the just evil corporations and government.
        • It should bother you then

          Read the first few word. SELLING. Selling to advertisers...
          Do you really think once your info is sold it goes nowhere? What's the first think advertisers do with your info, try to make money off it. How would they do it, sell it, profile you, etc.
          If you care about your privacy at all, any company who's coin of trade is your info should be a concern. Google has made an entire business of collecting information about you to create a profile that would make the KGB or SSS weep with pride, and thanks to the ironic Patriot and similar acts' destruction of the constitution, everything google has is up for grabs by the US government, one with a history of abusing much less info. Google has been caught wifi snooping and hacking people's computers if they turned off tracking, so obsessed with capturing every bit of info on you they can. If you care at all about your info you'd know just collecting all that info is irresponsible since they have to turn it over and can be gagged forced to lie by the twisted laws.
          • Really?

            Hacking, snooping and selling data? I assume you mean the Safari cookie bug that Apple didn't fix for months and that was widely used (not saying it was a smart choice by Google, though), the passive wifi packet collection (only unencrypted traffic over unencrypted wifi is readable) and their anonymous statistics that they sell, respectively?

            If you're going to complain about what they are doing, at least stick to the truth.

            Not to mention that EVERY major company is forced to share their data in one way or another with NSA. Your best option is SERVERLESS, not switching company, if you truly are concerned.

            Fortunately we do have a few good options, like Bote mail on I2P.
      • Evidence?

        I have not seen any evidence yet of Google keeping shadow profiles or selling anything but anonymous statistics. Please post any evidence if you have some, it would be very interesting to read.
    • Facebook Shadow Profile Data

      All you have to worry about now is the Obamacare death panel.
      Squeek Eron
  • So, who do the extra phone numbers belong to?

    Note: This also stood out to me, from the Facebook blog post:

    "There were other email addresses or telephone numbers included in the downloads, but they were not connected to any Facebook users or even names of individuals."

    So, who do those numbers and email address belong to - and why does Facebook harvest and keep numbers and addresses from people who are not on Facebook?

    This reminds me of when they got called out for making profiles for people who are not on Facebook.
    Violet Blue
    • No worries

      Don't worry Violet, it's just metadata.
      Jay C. Davis
      • Metadata

        Evil in a Haystack: "How do you find a terrorist hidden in millions of gigabytes of metadata?"
        • Well

          Seeing as how the US government appears to have trained and collaborated with most "threats", it shouldn't be that hard. They just have to look at who they sell what to or arm who with or train for what, I suppose. The reason all the intel is restricted and would put people at risk is supposedly because they have so many inside people. They don't have to look past their own meetings, and don't need to concern themselves with regular Americans who play on the Internet or discuss politics I'd think...
      • Metadata

        And what is metadata? Does it trump privacy and personal rights? Don't be so cavalier or you'll end up permitting yourself and your family to be at the mercy of nerds like Zuckerberg and the US Government.
    • ...they got caught??

      Has F-book (read "expletive-deleted - book") got caught in fraud by inflating the number of users by inventing them, so they could launch that IPO and run off with the money?

      Survey says "probably"
    • Phone numbers are keys to unlocking all kinds of networks

      Most phone numbers collected in the United States will have ten or eleven digits, and some may have country codes. From these, one can trace communications networks between individuals, and get a fairly good picture of what one does, where one works, social groups, etc. etc. etc.

      Before even using reverse lookup software, once can analyze millions of phone numbers and collect all matches. Then, the matches are traced to known numbers of users/citizens/companies, and THEN using reverse lookup software, you can easily determine who is talking to whom. (You can also trace data such as pictures by timing the calls.)

      This is why the "mistake" is of major concern. At the risk of sounding paranoid, we've got FB collecting information it is not supposed to have, and the sharing it with the NSA or whomever in government.

      Privacy from government snooping was one of the major concerns of the Founding Fathers. They would croak if they saw what was happening today.
      Noble Furr
  • Bloginator

    Let's bring a class action lawsuit against Facebook; I'm pretty sure the terms of service say that Facebook must protect user data or face some serious consequences. Or at least get some compensation from Facebook, like maybe a free month of Facebook for anyone that was affected. Or maybe Zuckerberg could come by your house and apologize in person, because it's pretty likely that he knows where you live.
    Anono Mouser
    • 'he knows where you live'

      Your comment makes me realize that people are making the same jokes about Facebook/Zuckerberg as the NSA right now. This doesn't make me feel any better about it all:

      Facebook's Former Security Chief Now Works for the NSA
      Violet Blue